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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by 
the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General 
Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our 
oversight responsibilities to promote economy, efficiency, and effectiveness within the department. 

The attached report presents the results of the Federal Emergency Management Agency's fiscal year 
2008 Mission Action Plans audit. We contracted with the independent public accounting firm 
KPMG LLP (KPMG) to perform the audit. The contract required that KPMG perform its audits 
according to generally accepted government auditing standards and guidance from the Office of 
Management and Budget and the Government Accountability Office. KPMG is responsible for the 
attached auditor's report and the conclusions expressed in it. 

The recommendations herein have been discussed in draft with those responsible for 
implementation. We trust this report will result in more effective, efficient, and economical 
operations. We express our appreciation to all of those who contributed to the preparation of this 
report. 




Richard L. Skinner 
Inspector General 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



May 12, 2009 

Ms. Anne Richards 

Assistant Inspector General for Audit 

Department of Homeland Security, Office of the Inspector General 

Ms. Peggy Sherry 

Acting Chief Financial Officer 

Department of Homeland Security 

This report presents the results of our work conducted to address the performance audit objectives relative 
to the Department of Homeland Security's (DHS or the Department) Mission Action Plans (MAPs) 
developed to address the internal control deficiencies at the Federal Emergency Management Agency 
(FEMA). These deficiencies were identified by management and/or reported in the KPMG LLP (KPMG) 
Independent Auditors' Report included in the Department's fiscal year 2008 Annual Financial Report. 

This performance audit is part of a series of three performance audits that the Department's Office of 
Inspector General (OIG) engaged us to perform related to the Department's fiscal year 2009 MAPs for 
use in developing the Department's Internal Control Over Financial Reporting (ICOFR) Playbook. This 
performance audit was designed to meet the objectives identified in the Objectives, Scope, Methodology 
and Approach section of this report. Our procedures were performed using the MAPs provided to us on 
January 21, 2009. Interviews with DHS and FEMA management and other testwork was performed at 
various times through May 12, 2009, and our results reported herein are as of May 12, 2009. 

We conducted this performance audit in accordance with Government Auditing Standards. Those 
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide 
a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the 
evidence obtained provides a reasonable basis for our findings based on our audit objectives. 

This performance audit did not constitute an audit of the financial statements in accordance with 
Government Auditing Standards. KPMG was not engaged to, and did not, render an opinion on the 
Department's or FEMA's internal control over financial reporting or over financial management systems 
(for purposes of OMB Circular No. A- 127, Financial Management Systems, as revised). KPMG cautions 
that projecting the results of our evaluation to future periods is subject to the risks that controls may 
become inadequate because of changes in conditions or because compliance with controls may 
deteriorate. 
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EXECUTIVE SUMMARY 



The Department has identified deficiencies in internal control over financial reporting through its annual 
assessment conducted pursuant to Office of Management and Budget (OMB) Circular No. A- 123, 
Management 's Responsibility for Internal Control, and in compliance with the Federal Managers ' 
Financial Integrity Act (FMFIA). Some of the deficiencies were identified as significant deficiencies or 
material weaknesses, in the Independent Auditors' Report included in the FY 2008 DHS Annual 
Financial Report (AFR). Beginning in 2006, the Department began a comprehensive corrective action 
plan to remediate known internal control deficiencies. The plan is documented in the Internal Controls 
Over Financial Reporting Playbook (ICOFR Playbook). The Mission Action Plan (MAP) is a key 
element of the ICOFR Playbook that documents the remediation actions planned for each internal control 
deficiency at the DHS component level. The MAP provides specific actions, timeframes, key milestones, 
assignment of responsibility, and validation procedures. 

The Federal Emergency Management Agency (FEMA) developed four MAPs related to significant 
deficiencies or material weaknesses (as presented in the FY 2008 Independent Auditors' Report) 
submitted by FEMA to the Department's Chief Financial Officer for inclusion in the FY 2009 ICOFR 
Playbook. The MAPs address control deficiencies identified in: 

• Entity Level Controls (ELC) 

• Financial Reporting 

• Budgetary Accounting 

• Property Management 

Objective, Scope, Methodology and Approach 

We conducted our audit in accordance with the standards applicable to such audits contained in the 
Government Auditing Standards, issued by the Comptroller General of the United States. 

The objective of this performance audit was to evaluate and report on the status of the four MAPs 
described above. Our audit was performed using criteria to evaluate the MAP development process and 
content. The evaluation criteria were developed from a variety of sources including technical guidance 
published by OMB, the Government Accountability Office, and from applicable laws and regulations. 
We also considered DHS' policies and guidance, and input from the Office of Inspector General when 
designing evaluation criteria. Our evaluation criteria were: 

• Identification (of the root cause) - Identification of the appropriate underlying root cause that is 
causing the internal control deficiency condition(s). 

• Development (of the MAP) - Clear action steps that address the root cause, and attainable and 
measurable milestones at an appropriate level of detail. 

• Accountability (for execution of the MAP) - The individual MAP owner is responsible for its 
successful implementation, ensuring that milestones are achieved and that the validation phase is 
completed. 

• Verification and validation - The MAP includes written procedures to verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and 
reporting results when complete. 

Findings and Recommendations: 

We found that FEMA has prepared MAPs that address its known control deficiencies described above, 
and the MAP's were submitted timely to the Department for inclusion with the FY 2009 ICOFR 
Playbook. We noted that: 

1 . The Entity Level Control MAP is not fully developed as of the date of our audit. Accountability for 
remediation is assigned to a " Internal Control Board" of senior executives; however, the Board had 
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not been formed as of the date of our audit, and the Board's Charter is not yet developed. Specific 
verification and validation steps are also not identified. 

We recommend that FEMA form the Internal Control Board of senior executives, and establish the 
Board's Charter. Under the Internal Control Board's direction, develop the MAP, including the 
performance of more extensive root cause analysis and development of associated corrective actions, 
milestones, performance metrics and verification processes. 

2. The Financial Reporting MAP does not adequately emphasize the primary root cause of the control 
weaknesses, which is a lack of a sufficient number of skilled accounting and financial reporting 
resources. The milestones are not sufficiently developed to address the primary cause of the control 
deficiency. The MAP does not include detailed procedures to assess the functionality of current 
information technology (IT) system used in affected processes. The verification and validation 
criteria are focused on results of external audits, instead of on FEMA's own verification and 
validation procedures. 

We recommend that FEMA expand the financial reporting root cause analysis. We also recommend 
that FEMA improve the MAP to include more detailed, specific and measurable action steps and 
assignments to individuals. In addition, FEMA should link the milestones to root causes and 
financial statement assertions, and establish an appropriate and reasonable time-line for completion. 
FEMA should develop a plan for verification and validation that is focused on results of internal 
metrics and is not dependent on reviews of external auditors. 

3. The Budgetary and Property Management MAPs substantially comply with the evaluation criteria 
described above. We noted only nominal findings when compared to the evaluation criteria. In 
addition, we reported that verification and validation procedures should be further developed. We 
have made recommendations for consideration by FEMA management that may improve those 
MAPs. 



FEMA continued to make certain modifications to the MAPs noted above after January 2 1 , 2009 (the date 
we received the MAPs and began our audit), some of which may have addressed our findings presented 
above and within this report. However, we have not performed audit procedures on any modifications 
made to MAP's after the start of our audit, and the effect of those modifications are not reflected in this 
report. 
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BACKGROUND 



The Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) 
recognize that deficiencies in internal control exist. The internal control deficiencies are reported by DHS 
management in its annual Secretary's Assurance Statement, issued pursuant to OMB Circular A-123, 
Management 's Responsibility for Internal Control. The Secretary's Assurance Statement and the findings 
of the external auditor were reported in the Department's fiscal year (FY) 2008 Annual Financial Report 
(AFR). The conditions causing the internal control weaknesses are diverse and complex. Many 
conditions, which are systemic, were inherited with the legacy financial processes and IT systems in place 
at the time of the Department's formation in 2003. The evolution of the Department's mission, programs, 
component restructuring, and other infrastructure changes, has made remediation of these internal control 
weaknesses very challenging. To meet this challenge, the Department's Secretary, Chief Financial 
Officer, and financial management in the DHS components adopted a comprehensive strategy to 
implement corrective actions beginning in FY 2006 and continuing into future years. 

The Office of the Chief Financial Officer (OCFO), Internal Control Program Management Office 
(ICPMO) is primarily responsible for the development and implementation of the Department's strategy 
to implement Mission Action Plans (MAPs). The ICPMO has documented its strategy and other related 
plans to remediate identified internal control deficiencies in the Internal Controls Over Financial 
Reporting Playbook (ICOFR Playbook). 

In 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the 
Department enhanced its existing guidance by issuing the FY 2009 Mission Action Plan Guide (MAP 
Guide). To comply with Management Directive 1030 and the MAP Guide, FEMA prepared four detailed 
MAPs to address the internal control deficiencies over Entity Level Controls; Financial Reporting; 
Property Management; and Budgetary Accounting. The control deficiencies are summarized below: 

• Entity Level Controls - FEMA has not effectively communicated the importance of strong 
financial management and internal controls throughout the agency, has not developed sufficiently 
effective methods of communication, and does not have sufficient resources in its regional 
offices. In addition, FEMA has not documented or updated formal policies and procedures for 
many of the roles within the agency. 

• Financial Reporting - FEMA does not have a sufficient number of experienced financial staff to 
address non-routine accounting issues timely. For instance, FEMA did not prepare and record 
adjustments for its National Flood Insurance Program (NFIP) accurately or establish an accounts 
payable accrual for certain obligations. In addition, FEMA lacks segregation of duties within its 
financial reporting process, and did not fully reconcile its intragovernmental balances with trading 
partners. 

• Budgetary Accounting -FEMA has not adequately monitored the status of its mission assignment 
obligations nor ensured the timely deobligation of mission assignments. The control weaknesses 
surrounding these mission assignments may allow a material misstatement of the related 
undelivered orders to go undetected. During FY 2008, FEMA was unable to obtain timely 
documentary evidence, including sufficient cost/billing data from other Federal agencies 
supporting the progress of active mission assignments, and therefore was not able to deobligate or 
validate the continued carrying of mission assignment undelivered orders timely. In addition, 
FEMA could not provide all supporting documentation for a sample of non-mission assignment, 
non-grant undelivered orders. 

• Property Management - FEMA has not maintained records of actual costs for its internal use 
software or internal use software in development. FEMA is currently estimating and recording an 
estimate of the capitalizable cost of these assets on an annual basis and recording the entry at 
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year-end. In addition, FEMA does not have procedures in place to periodically assess the 
reliability of its internal use software estimates, such as a comparison of estimates to actual costs. 

OBJECTIVE, SCOPE, METHODOLOGY AND APPROACH 
Objective and Scope 

The objective of this performance audit was to evaluate and report on the status of detailed MAPs 
prepared by FEMA to correct internal control deficiencies that are contributing to the Department's 
significant deficiencies or material weaknesses existing at the end of FY 2008. Our evaluation was 
performed using evaluation criteria, described in the methodology section below, to assess the process 
used to develop and document FEMA's FY 2009 MAPs. Our findings, by MAP, are presented below, 
and more detailed findings, categorized by criteria, are presented in the attached Exhibit I. We did not 
evaluate the outcome of the MAP process or any corrective actions taken by management during our 
audit, and our findings should not be used to project ultimate results from MAP implementation. 
Recommendations are provided to help address findings identified during our performance audit. 

The four MAPs subjected to our evaluation were: 

1. Entity Level Controls; 

2. Financial Reporting; 

3. Budgetary Accounting; and 

4. Property Management. 

The MAPs were provided to us by the OCFO, on behalf of FEMA, on January 21, 2009. The scope of 
this performance audit did not include procedures on any of the MAPs associated with other control 
deficiencies existing at FEMA as of September 30, 2008. Our audit was performed between January 21, 
2009 and May 12, 2009, and our results reported herein are as of May 12, 2009. 

FEMA continued to make modifications to the MAPs noted above after January 21, 2009 (the date we 
received the MAPs), some of which may have addressed the comments below. However, we have not 
performed audit procedures on any modifications made to MAP's after the start of our audit, and the 
effect of those modifications are not reflected in this report. 

Methodology and Approach 

We conducted this performance audit in accordance with the standards applicable to such audits contained 
in the Government Auditing Standards, issued by the Comptroller General of the United States. Our 
methodology consisted of the following four-phased approach: 

Project Initiation and Planning - We attended meetings with the Department's OIG, OCFO, and FEMA 
to review the performance audit objectives, scope, describe our approach, communicate data requests, and 
to gain an understanding of the status of FEMA's 2009 MAPs. 

Data Gathering - We performed interviews with accounting and finance management and staff at FEMA 
and OCFO. Through these interviews, we gained an understanding of the process used to develop the 
MAPs, including key inputs and data used, assumptions made, and reasons for conclusions reached. The 
interviews focused on the analysis performed by FEMA to identify the underlying problems creating the 
internal control weakness (root cause) and planned corrective actions, the critical milestones chosen for 
measurement, and the methods used to monitor and validate progress in meeting the milestones. We 
discussed FEMA's resource allocation strategy employed in the development and eventual 
implementation of the MAP, including the utilization of contractors to supplement staff as needed and the 
use of specialists, if necessary. 

We performed reviews of key documents and supporting information provided to us by OCFO. Our 
documentation reviews included: 
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• The four FEMA MAPs (i.e., the MAP Detail and Summary Reports) that were included within 
our scope, and any underlying supporting documentation provided by FEMA. 

• The Notices of Findings and Recommendations (NFRs) issued during the FY 2008 financial 
statement audit by the external auditors that supported the internal control findings reported in the 
FY 2008 Independent Auditors' Report. 

• The Annual Component Head Assurance Statements provided pursuant to the requirements of 
OMB Circular A- 123. 

• The ICOFR Playbook, MD 1030, the MAP Guide, and existing internal control monitoring 
guidance (e.g., OMB Circular No. A-123). 

Analysis Using Established Criteria - Our evaluation criteria was developed from a variety of sources 
including technical guidance published by OMB, e.g., Circular A-123, the GAO, e.g. Standards for 
Internal Control in the Federal Government, and applicable Federal laws and regulations, e.g., FMFIA. 
We also considered DHS' policies and guidance, e.g. the MAP Guide and the ICOFR Playbook, and input 
from the OIG. Our evaluation criteria were: 

• Identification (of the root cause) - Identification of the appropriate underlying root cause that is 
causing the internal control deficiency. A comprehensive analysis typically includes a full 
assessment of the business processes, data flows, and information systems that drive the 
transactions/activities associated with the accounting process where the internal control 
deficiencies are believed to exist. A thorough root cause analysis should include: 

- Research to discover why, when, and how the condition occurred - what went wrong and 
why? 

- Investigation to determine if the problem is design or execution, or both. 

- An evaluation to determine if IT system functionality is contributing to the problem and if IT 
system modifications could be part of the remediation. 

- An evaluation of internal controls, including the existence of compensating controls that may 
mitigate the deficiency. 

• Development (of the MAP) - The MAP includes action steps that address the root cause, and 
attainable and measurable milestones at an appropriate level of granularity. Milestones should 
enable independent analysis of a MAP's effectiveness in remediation of root causes and provide 
MAP users with insight on the status of the MAP's implementation. For example, the MAP 
should enable a user to determine if the appropriate level of resources to execute a milestone is 
available and to identify potential missing elements in milestones (e.g. a contractor may be needed 
before a specific milestone can be achieved). 

• Accountability (for execution of the MAP) - Accountability for the MAP is clearly identified and 
assigned. The individual MAP owner is responsible for its successful implementation, ensuring 
the achievement of milestones and validation of results. 

• Verification and Validation - The MAP includes written procedures that verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and 
reporting results when complete. These activities should include documentation reviews, work 
observations, and performance testing that is maintained for internal OMB A-123 review and 
external audit. 

Findings and Recommendations - After conducting our audit, we formulated our findings and 
recommendations. The findings represent areas for potential improvement that could negatively affect 
FEMA's remediation of the significant deficiencies and/or material weaknesses if the MAP is performed 
as designed. 
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FINDINGS AND RECOMMENDATIONS 



Conditions 

FEMA prepared and submitted MAPs to the OCFO as instructed in the MAP Guide. There were MAPs 
for each of the four primary processes where significant deficiencies and material weaknesses existed at 
the end of FY 2008. Based on our inquiry with FEMA personnel, we determined that FEMA was 
knowledgeable of the MAP Guide, performed a limited review to determine the source and cause of the 
control deficiencies, and incorporated the results into the individual MAPs in the form of milestones. 
FEMA management exhibited an understanding of the issues and described some corrective actions that 
were not always documented in the MAP. 

The following chart identifies where we noted areas for improvement by MAP and criteria, indicated by a 
shaded box. Exhibit I provides a detailed explanation of the issues noted. 



Matrix of Conditions 


Criteria: MAP: 


ELC 


FR 


Prop 


Bud 




(1) 


(2) 


(3) 


(4) 


Identification (of root cause) 










Development of MAP 










Accountability of the MAP 










Verification & Validation 











Key: 

ELC - Entity-Level Controls 
FR - Financial Reporting 
Prop - Property Management 
Bud - Budgetary Accounting 



(1) Entity Level Controls - The Entity Level Controls MAP adequately identifies the root causes of this 
control weakness as a lack of an appropriate tone-at-the-top and involvement / ownership by senior 
leadership. However, the root cause analysis is limited to the information in the MAP, and support is not 
available to indicate a meaningful analysis was performed. In addition, the MAP is otherwise 
undeveloped. Milestones are not specific. The MAP does not address remediation of this challenge within 
the milestones or clearly defined future actions. Accountability for remediation is assigned to an "Internal 
Control Board" of senior executives, however the Board has not been formed as of the date of our audit, 
and the Board's Charter is not yet developed. Specific validation and verification steps are not identified. 

(2) Financial Reporting - The root causes described are symptoms of financial reporting control 
deficiencies, instead of the underlying cause. In addition, the root cause analysis is limited to the 
information in the MAPs, and support is not available to indicate a true analysis was performed. The 
milestones are not sufficiently developed to address the primary cause of the control deficiency, and are 
not always clearly linked to root causes or financial statement assertions. The MAP does not include 
detailed procedures to address issues with the reconciliation of intragovernmental transactions, and some 
milestone due dates appear inconsistent. The verification and validation criteria are inappropriately 
focused on results of audits performed by external auditors, and are not clearly linked to FEMA's own 
procedures or the Department's OMB Circular A- 123 initiatives currently underway. 

(3) Property Management and Budgetary Accounting - The Property Management and Budgetary 
Accounting MAPs are generally well developed in three of the four criteria. The root causes and 
milestones developed appear appropriate to address the control deficiencies, and accountability is 
assigned. However, the root cause analysis is limited to the information in the MAPs, and support is not 
available to indicate a true analysis was performed. Both MAPs do not identify all relevant financial 
statement assertions, and some milestones appear duplicative or disjointed. Both MAPs lack a detailed 
plan for verification and validation. 
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Cause/Effect 



The conditions noted above are due to the preliminary stage of development of the MAPs. Management 
has relatively little time from year-end (i.e., September 30, 2008) to the date of submission of the MAPs 
to the DHS Office of the Chief Financial Officer for review. Further development of the MAPs after the 
date of submission is common. In addition, some of the conditions noted above (e.g. interdependencies) 
are for further improvement of the MAPs and are not requirements per the DHS FY09 MAP Guide. A 
lack of a comprehensive and detailed MAP could lead to the control deficiencies not being corrected. 

Recommendations 

We recommend that FEMA perform the following to address our findings: 

1. Entity-Level Controls: 

a. Document the detailed root cause analysis to support the conclusions reached. 

b. Form the Internal Control Board of senior executives, and establish the Board's Charter. 

c. Under the Internal Control Board's direction, further develop the MAP, including detailed 
milestones and performance metrics. 

d. Develop specific verification and validation procedures, to include accountability and due dates. 

2. Financial Reporting: 

a. Expand the root cause analysis related to staffing and human resources. Remove or deemphasize 
root causes that are symptomatic of control deficiencies. In addition, document the detailed root 
cause analysis to support the conclusions reached. 

b. Expand the MAP, especially related to human resources, to include more detailed, specific, and 
measurable action steps. In addition, clearly link the milestones to root causes and financial 
statement assertions, and ensure an appropriate and reasonable time-line for completion. The 
MAP and milestone chart will likely require periodic updates as management proceeds with its 
corrective actions. 

c. Develop a plan for verification and validation that identifies appropriate performance metrics and 
can be used to monitor and report results throughout the MAP milestones. In addition, we 
recommend that FEMA link the MAPs to the Department's OMB Circular A- 123 initiatives 
currently underway. 

3. Property Management and Budgetary Accounting: 

a. Document the detailed root cause analysis to support the conclusions reached. 

b. Clarify the milestones to ensure that duplicative milestones are revised as necessary, and 
timelines are appropriate in relation to other milestones. 

c. Develop a plan for verification and validation that identifies appropriate performance metrics and 
can be used to monitor and report results throughout the MAP milestones. In addition, we 
recommend that FEMA link the MAPs to the Department's OMB Circular A- 123 initiatives 
currently underway. 
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MANAGEMENT RESPONSE TO REPORT 

Management has prepared an official response presented as a separate attachment to this report. In 
summary, management agreed with our findings and its comments were responsive to our 
recommendations. We did not audit management's response and, accordingly, we express no opinion on 
it. 
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KEY DOCUMENTS AND DEFINITIONS 



This section provides key definitions and documents for the purposes of this report. 

The Federal Managers ' Financial Integrity Act (FMFIA) requires that Executive Branch Federal agencies 
establish and maintain an effective internal control environment according to the standards prescribed by 
the Comptroller General. Those standards are published in the Government Accountability Office's 
(GAO) Standards for Internal Control in the Federal Government. In addition, it requires the head of the 
agency to annually evaluate and report on the adequacy of the agency's systems of internal accounting 
and administrative control. 

GAO's Standards for Internal Control in the Federal Government (Standards) defines internal control as 
an integral component of an organization's management that provides reasonable assurance of: 
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with 
applicable laws and regulations. 

The Department of Homeland Security Financial Accountability Act (the DHS FAA) brought the Chief 
Financial Officer (CFO) for DHS under the Chief Financial Officers Act, thus making the DHS CFO a 
Presidentially appointed position requiring Senate confirmation. Furthermore, the DHS FAA requires 
that an audit opinion of the internal controls over financial reporting be included in the Department's 
Performance and Accountability Report. 

Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal 
Control, provides guidance on internal controls and requires agencies and Federal managers to 1) develop 
and implement internal controls; 2) assess the adequacy of internal controls; 3) separately assess and 
document internal control over financial reporting; 4) identify needed improvements; 5) take 
corresponding corrective action; and 6) report annually on internal controls. The successful 
implementation of these requirements facilitates compliance with both FMFIA and the Chief Financial 
Officers Act. 

Office of Management and Budget (OMB) Circular No. A- 127, Financial Management Systems, 
prescribes policies and standards for executive departments and agencies to follow in developing, 
operating, evaluating, and reporting on financial management systems. The successful implementation 
of these requirements facilitates compliance with both FMFIA and the Chief Financial Officers Act. 

Internal Control Deficiencies - A control deficiency exists when the design or operation of a control 
does not allow management or employees, in the normal course of performing their assigned functions, 
to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or 
combination of control deficiencies, that adversely affects DHS' ability to initiate, authorize, record, 
process, or report financial data reliably in accordance with U.S. generally accepted accounting 
principles such that there is more than a remote likelihood that a misstatement of DHS' financial 
statements that is more than inconsequential will not be prevented or detected by DHS' internal control 
over financial reporting. A material weakness is a significant deficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a material misstatement of the financial 
statements will not be prevented or detected by DHS' internal control. 

Management Directive (MP) 1030, Corrective Action Plans , establishes DHS' vision and direction on the 
roles and responsibilities for developing, maintaining, reporting, and monitoring CAPs (i.e., MAPs) 
specific to the DHS FAA, FMFIA, and related OMB guidance. In addition to roles and responsibilities, 
MD 1030 outlines the policies and procedures related to the CAP process. The organizational structure 
detailed in MD 1030 encompasses employees at all components and offices. 

The Internal Controls Over Financial Reporting (ICOFR) Playbook (ICOFR Playbook) was developed 
by the OCFO, Internal Control Program Management Office, to design and implement department-wide 
internal controls, pursuant to the DHS FAA, OMB Circular No. A-123, and FMFIA. Per the Executive 
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Summary in the FY 2008 ICOFR Playbook, the Playbook outlines the Department's "strategy to design 
and implement an effective internal control system to support the mission, eliminate material weaknesses, 
and build management assurances." On an annual basis, the ICOFR Playbook is updated by the OCFO to 
enhance its existing guidance, as necessary, and establish action plan milestones, which will be monitored 
by the OCFO throughout the year. One component of the ICOFR Playbook includes MAPs developed by 
the Department and its components to correct material weakness conditions and document 
accomplishments and progress (according to the FY 2008 Playbook). 

The Mission Action Plan Guide, Financial Management Focus Areas Fiscal Year 2008 (MAP Guide) 
outlines the policies and procedures to be used to develop MAPs throughout DHS, pursuant to the roles 
and responsibilities established by the DHS Management Directive (MD) 1030, Corrective Action Plans. 
The MAP Guide applies to all Department Components and Offices (e.g., OCFO) where a control 
deficiency has been identified. Note non-conformances related to the Federal Information Security 
Management Act (FISMA), are under the purview of the Department's Chief Information Security 
Officer 's Plan of Action and Milestones (POA&M) Process Guide. 

Electronic Program Management Office (ePMO) is a Web-based software application the OCFO 
deployed to manage the collection and reporting of MAP information. 

Mission Action Plans (MAPs), as defined in the MAP Guide, are documents prepared to facilitate the 
remediation of internal control deficiencies identified by management or by external parties. MAP 
documentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP 
Detailed Report that are required to be submitted to the OCFO through ePMO. Below are brief 
descriptions of the MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick 
Guide contained in the MAP Guide: 

• The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency 
conditions), results of the root cause analysis performed, relevant financial statement assertions 
affected by the issue, key strategies and performance measures, resources required, an analysis of 
the risks and impediments as seen by management, verification and validation methods, and the 
critical milestones to be achieved. 

• The MAP Detailed Report provides additional data on the milestones, not only on those identified 
as critical but also those sub-milestones under a critical milestone. For each milestone (critical or 
sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started, 
Work in Progress and Completed), and the responsible and assigned parties. 

The Department's Annual Financial Report (DHS AFR) was published on November 17, 2008 and 
consists of the Secretary's Message, Management's Discussion and Analysis, Financial Statements and 
Notes, an Independent Auditors' Report, Major Management Challenges, and other required information. 
The AFR was prepared pursuant to OMB Circular A- 13 6, Financial Reporting Requirements. 
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U.S. Department of Homeland Security 

500 C Street, SW 
Washington, DC 20472 



FEMA 



Ms. Anne Richards 

Assistant Inspector General for Audits 
245 Murray Drive, SW, Building 410 
Washington, DC 20538 
May 12, 2009 

Dear Ms. Richards 

Thank you for the opportunity to comment on the draft Office of the Inspector General's 
(OIG) Performance Audit Objectives Report on the Department of Homeland Security's 
2009 Mission Action Plans (MAPs). In particular, I would like to respond to the findings 
and recommendations related to the MAPs prepared by the Federal Emergency 
Management Agency (FEMA). 

As the report states the performance audit was performed using the FEMA provided 
MAPs dated January 21, 2009. FEMA continues to refine the MAPs to identify and 
address the root causes that are causing the internal control deficiencies, taking action 
steps that address the identified issues, developing measurable milestones, and 
implementing procedures to successfully verify and validate correction of the indentified 
deficiencies. 

The OIG report recommends "FEMA form the Internal Control Board of senior 
executives, and establish the Board's Charter". Also, the report recommends FEMA 
conduct a "more extensive root cause analysis and development of associated corrective 
actions, milestones, performance metrics and verification processes". FEMA has 
indentified and further developed actions to include: 

• Draft Internal Control Board (ICB) documents (i.e., charter, authorization letter, 
letter of commitment) have been reviewed and updated for approval by the 
incoming FEMA Administrator. In addition, a briefing on the vision of the ICB 
has been prepared and will be presented to the incoming FEMA Administrator. 

• FEMA has brought on new leadership within the Office of the Chief Financial 
Officer ((OCFO) including a new Chief Financial Officer and Deputy Chief 
Financial Officer who started in September 2008 and December 2008, 
respectively. In addition, FEMA has filled the vacancy for the Risk Management 
and Compliance, Director Position within the OCFO. 




www.fema.gov 



The OIG report identifies the primary root cause of the control weakness as "lack of a 
sufficient number of skilled accounting and financial reporting resources". Further the 
report recommends FEMA "improve the MAPs to include more detailed, specific and 
measurable action steps and assignments to individuals". FEMA has indentified and 
further developed actions to include: 

• Individual assignments of roles and responsibilities and developing SOPs for key 
assignments in order to formalize the processes and foster knowledge sharing. 

• Reorganized the Financial Management Division to address span of control 
issues and reassigned resources to develop financial reporting processes at the 
FEMA Finance Center. 

• Two additional staff with knowledge of FEMA' s National Flood Insurance 
Program has been selected and will start May 26, 2009 and June 8, 2009. 

• Developed a proposal to elevate Mission Assignments to a separate program area 
to include the proper resources to accomplish intra-governmental reconciliations 
and close-out. 

• Developing an Accounts Payable model and SOP to accurately estimate, record 
and validate quarterly accounts payable liabilities. 

• Formalized the Grant Accrual SOP and has assigned the roles and responsibilities 
to appropriate staff to include levels of supervisory reviews. 

• Currently exploring additional strategies with contractor support to further 
enhance the controls around segregation of duties. 

The OIG report states "FEMA has not adequately monitored the status of its mission 
assignments." In addition the report identified FEMA "could not provide all supporting 
documentation for a sample of non-mission assignment, non-adequately monitored the 
status of its mission assignment obligations nor ensured the timely de-obligation of 
mission assignments." FEMA has indentified and further developed actions to include: 

• Proposal to elevate Mission Assignments to a separate program area to include the 
proper resources to accomplish intra-governmental reconciliations and close-out. 

• In the process of developing UDO verification & validation processes to include 
identifying UDO balances to be de-obligated. FEMA OCFO issued a directive to 
perform quarterly UDO reviews and is currently developing a UDO Manual to 
detail FEMA's roles and responsibilities in reporting/closing these balances. 

The OIG report states "FEMA has not maintained records of actual costs for its internal 
use software in development." In addition FEMA "does not have procedures in place to 
periodically assess the reliability of its internal use software estimates." FEMA has 
performed the following to address this control deficiency: 

• FEMA's Financial Management , Information Technology and Program Offices 
have partnered to identify all IT systems meeting the requirements of internal use 
software capitalization and have broken down the systems into the following 
categories: (1) in development; (2) in production between 1 - 3 years; and (3) in 
production over 3 years. 



• Identified and listed all systems and received a completeness assertion from the 
system owners. 

• Held joint OCFO/OIT work shops to provide requirements to identify and book 
actual costs for its internal use software. 

• Developing an internal uses software directive/manual to detail roles and 
responsibilities in identifying, tracking and recording software cost. 

In closing, FEMA takes the OIG's findings and recommendations seriously and is 
committed to establishing a strong system of internal controls which includes up-to-date 
policies, procedures and processes. 



Norman Dong 
Chief Financial Officer 

cc: Michael Wetklow, DHS 
Faith Kim, KPMG 
Terrell Tindull, OIG 



Sincerely, 
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Department of Homeland Security 

Secretary 

Deputy Secretary 

Chief of Staff for Operations 

Chief of Staff for Policy 

Acting General Counsel 

Executive Secretariat 

Director, GAO/OIG Liaison Office 

Assistant Secretary for Office of Policy 

Assistant Secretary for Office of Public Affairs 

Assistant Secretary for Office of Legislative Affairs 

Acting Chief Financial Officer 

DHS GAO/OIG Audit Liaison 

Federal Emergency Management Agency 

Under Secretary 
Chief Financial Officer 
FEMA Audit Liaison 

Office of Management and Budget 

Chief, Homeland Security Branch 
DHS OIG Budget Examiner 

Congress 

Congressional Oversight and Appropriations Committees, as 
appropriate 




ADDITIONAL INFORMATION AND COPIES 

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199, 
fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. 



OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



